Eyes only

By the time you read this, the government should have announced its plans
regarding encryption. An announcement was rumoured to happen at the end of
February but it was cancelled due to ‘completely wrong announcements on
the Internet’ (according to a DTI official). This is surprising, if there
are some rumours or some confusion then surely an early clarification should be
the rule? What has been leaked is that the Government would ban strong
encryption and create a network of Trusted Third Parties (TTPs). These are
organisations licensed to provide encryption to all and sundry – with a
small catch. These TTPs will keep a key of all the software and services they
sell. And the software will be engineered in a way that the keys cannot be
modified.

As more and more communication is becoming electronic, any restriction on
encryption is a threat to our personal privacy. With a ban on strong encryption
all electronic communication between law-abiding citizens will be trivial to
tap by any security agency, the police, and... criminals. Of course
criminals are by definition not respectful of the law and will be the only
individuals able to continue to use strong encryption.

By this point you might wonder why I'm writing this column. After all
I haven't mentioned anything really related to software development. There
are two reasons why you – EXE reader – should be particularly
concerned by this issue. First, it does concern every UK resident and, second,
the encryption technology is extremely complex. Software developers are among
the few who could have the background to grasp all the consequences of such a
ban.

For instance how can such a ban be enforceable? Look at all the hidden
Easter egg credits hidden in many large pieces of software. Most of them
managed to pass all the checks done by the Q&A department. And if you
consider that this is more a reflection on the professionalism of Q&A
teams, there are available on the net some simple (to use) steganography
programs which let you hide information in graphic files. So everyone having
electronic data could be believed to have some strong crypto hidden and hence
become a suspect.

If you want to ensure the authenticity of your software you need to
provide a digital certificate for it. If these certificates are based on weak
crypto sooner or later they will be cracked and someone else will be able to
masquerade some software as being issued by you. The same applies for digital
signatures, with potentially even worse effects. When digital signatures become
legally binding (it has already happened in some countries), anyone who can
bypass the crypto will be able to impersonate you and possibly ruin your
life.

I just hope it is not too late to react. Get a copy of PGP while you still
can. Voice your opinion. If you have any suggestion for an effective opposition
please send it to EXE and we will relay your ideas. My PGP key is available
at http://www.exe.co.uk/panda/#PGP.